HighProventia Server IPS for Microsoft Windows technology, BlackICE PC Protection, BlackICE Server Protection, Proventia Network MFS, Proventia-G 1.1 and earlier, Proventia Desktop, Proventia Network IDS, Proventia Network IPS, RealSecure Network, RealSecure Server Sensor, Proventia Server IPS for Linux technology:
This signature triggers when the size of an HTTP request is greater than pam.http.request.limit and the HTTP server is known to be either Apache, Oracle or is unknown.
Proventia Server IPS for Microsoft Windows technology, BlackICE PC Protection, BlackICE Server Protection, Proventia Network MFS, Proventia-G 1.1 and earlier, Proventia Desktop, Proventia Network IDS, Proventia Network IPS, RealSecure Network, RealSecure Server Sensor, Proventia Server IPS for Linux technology: This signature will trigger on any HTTP request when it meets the specifications described by the algorithm.
This signature will trigger on any HTTP request data when it meets the specifications described by the algorithm.
Proventia Server IPS for Microsoft Windows technology, BlackICE PC Protection, BlackICE Server Protection, Proventia Network MFS, Proventia-G 1.1 and earlier, Proventia Desktop, Proventia Network IDS, Proventia Network IPS, RealSecure Network, RealSecure Server Sensor, Proventia Server IPS for Linux technology: If you customize the server type reported by your HTTP server, then this signature may not trigger in your environment.
High
Proventia Server IPS for Microsoft Windows technology: 1.0.914.2260, Proventia Server IPS for Microsoft Windows technology: 2.0.300.2260, BlackICE PC Protection: 3.6crf, BlackICE Server Protection: 3.6.crf, Proventia Network MFS: XPU 28.120, Proventia-G 1.1 and earlier: XPU 28.120, Proventia Desktop: 2260, Proventia Network IDS: XPU 28.120, Proventia Network IPS: XPU 28.120, RealSecure Network: XPU 28.120, RealSecure Server Sensor: XPU 28.120, Proventia Server IPS for Linux technology: 28.120
BEA WebLogic Server: 6.0, BEA WebLogic Server: 6.1 SP1, BEA WebLogic Server: 6.1 SP2, BEA WebLogic Server: 6.1, BEA WebLogic Server: 7.0, BEA WebLogic Server: 7.0.0.1, BEA WebLogic Server: 5.1, BEA WebLogic Server: 7.0 SP4, BEA WebLogic Server: 7.0 SP5, BEA WebLogic Server: 8.1, BEA WebLogic Server: 8.1 SP1, BEA WebLogic Server: 9.0, BEA WebLogic Server: 7.0 SP6, BEA WebLogic Server: 9.1, BEA WebLogic Server: 8.1 SP6, BEA WebLogic Server: 7.0 SP7, BEA WebLogic Server: 10.0, BEA WebLogic Server: 10.0 MP1, BEA WebLogic Server: 3.1.8, BEA WebLogic Server: 4.0, BEA WebLogic Server: 4.0.4, BEA WebLogic Server: 4.5, BEA WebLogic Server: 4.5.1, BEA WebLogic Server: 4.5.1 SP15, BEA WebLogic Server: 4.5.2, BEA WebLogic Server: 4.5.2 SP1, BEA WebLogic Server: 4.5.2 SP2, BEA WebLogic Server: 5.1 SP1, BEA WebLogic Server: 5.1 SP10, BEA WebLogic Server: 5.1 SP11, BEA WebLogic Server: 5.1 SP12, BEA WebLogic Server: 5.1 SP13, BEA WebLogic Server: 5.1 SP2, BEA WebLogic Server: 5.1 SP3, BEA WebLogic Server: 5.1 SP4, BEA WebLogic Server: 5.1 SP5, BEA WebLogic Server: 5.1 SP6, BEA WebLogic Server: 5.1 SP7, BEA WebLogic Server: 5.1 SP8, BEA WebLogic Server: 5.1 SP9, BEA WebLogic Server: 6.1 SP3, BEA WebLogic Server: 6.1 SP4, BEA WebLogic Server: 6.1 SP5, BEA WebLogic Server: 6.1 SP6, BEA WebLogic Server: 6.1 SP7, BEA WebLogic Server: 6.1 SP8, BEA WebLogic Server: 7.0.0.1 SP1, BEA WebLogic Server: 7.0.0.1 SP2, BEA WebLogic Server: 7.0.0.1 SP3, BEA WebLogic Server: 7.0.0.1 SP4, BEA WebLogic Server: 8.1 SP2, BEA WebLogic Server: 8.1 SP3, BEA WebLogic Server: 8.1 SP4, BEA WebLogic Server: 8.1 SP5, BEA WebLogic Server: 9.1 GA, BEA WebLogic Server: 9.2, BEA WebLogic Server: 9.2 MP1, BEA WebLogic Server: 9.2 MP2, Oracle WebLogic Server: 10.3, BEA WebLogic Server: 6.0 SP6, BEA WebLogic Server: 7.0 SP1, BEA WebLogic Server: 7.0 SP2, BEA WebLogic Server: 7.0 SP3, BEA WebLogic Server: 9.0 GA, BEA WebLogic Server: 9.0 SP1, BEA WebLogic Server: 9.0 SP2, BEA WebLogic Server: 9.0 SP3, BEA WebLogic Server: 9.0 SP4, BEA WebLogic Server: 9.0 SP5, BEA Apache Connector IN WebLogic Server, BEA WebLogic Server: 6.0 SP1, BEA WebLogic Server: 6.0 SP2
Unauthorized Access Attempt
Oracle WebLogic Server (formerly known as BEA WebLogic Server) is vulnerable to a buffer overflow, caused by improper bounds checking by the Apache Connector. By sending a specially-crafted HTTP POST request, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the server to crash.
Apply the appropriate patch for your system, as listed in BEA Security Advisory (CVE-2008-3257). See References.
BEA Web site
BEA WebLogic Server
http://www.bea.com/framework.jsp?CNT=index.htm&FP=/content/products/weblogic/server
milw0rm.com [2008-07-17]
Bea Weblogic Apache Connector Code Exec / Denial of Service Exploit
http://milw0rm.com/exploits/6089
BEA Security Advisory (CVE-2008-3257)
Security vulnerability in WebLogic plug-in for Apache
https://support.bea.com/application_content/product_portlets/securityadvisories/2793.html
IBM Internet Security Systems Protection Alert - August 1, 2008
Oracle WebLogic Server Apache Connector Remote Code Execution
http://iss.net/threats/299.html
Oracle Security Alert for CVE-2008-3257
Alert_CVE-2008-3257
http://www.oracle.com/technology/deploy/security/alerts/alert_cve2008-3257.html
ISS X-Force
Oracle WebLogic Server Apache Connector buffer overflow
http://www.iss.net/security_center/static/43885.php
CVE
CVE-2008-3257
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3257